July 16, 2013

New slides about NSA collection programs

(Updated: November 30, 2014)

Over the last month, the publication of various slides of a powerpoint presentation about the top secret NSA collection program PRISM caused almost worldwide media attention. Less known is that a number of new slides about other NSA collection programs were published on July 6 by the Brazilian newspaper O Globo.

These and a few other slides were also shown on Brazilian televion, combined with an interview with Guardian-columnist Glenn Greenwald, who lives in Rio de Janeiro. Screenshots of some of the slides shown on Brazilian television became available on Flickr (see Links and Sources). On July 21, the German magazine Der Spiegel published some extra details about the XKEYSCORE program.

Brazilian television and the O Globo website presented a whole new series of four slides from what seems to be a presentation about the FAIRVIEW program or maybe the broader "collection of communications on fiber cables and infrastructure as data flows past", which was called "Upstream" in one of the PRISM-slides.

The first slide (below) shows the logos of the NSA and its Special Source Operations (SSO) unit, and a map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment". As DNI stands for Digital Network Intelligence, this map apparently shows internet traffic to North Korea, as traced by the FAIRVIEW program.

According to O Globo these maps show the amount of exchanged messages and phone calls (allthough DNI only refers to internet traffic) by various countries in the world with North Korea, Russia, Pakistan and Iran. Below we see DNI traffic to Pakistan on March 4 and 5, 2012:

A third slide shows a list op "Top 20 Pakistani domains (.pk)" which where apparently tracked between February 15, 2012 and March 11, 2012:

A fourth slide shows some lines with names of collection managers of OAKSTAR, BLARNEY and what appears to be the STORMBREW and (the hitherto unknown) OCELOT programs (Update: newly disclosed slides show that the latter word is actually MADCAPOCELOT). Brazilian television showed this slide uncensored with the names visible, but here we blacked them out:

According to former NSA official Thomas Drake FAIRVIEW is a highly classified program for tapping into the world’s intercontinental fiber-optic cables. It acts as an "umbrella program" with other programs underneath it. One of them is BLARNEY, which is a program to access internet data at key junctions and is facilitated by arrangements with commercial cable companies and internet servce providers.

According to Drake, "BLARNEY is to the international Internet space as PRISM is to the domestic". FAIRVIEW is apparently also the method through which the NSA receives the information it has collected, essentially co-opting the fiber optic cables to transmit the data back to the agency to be analyzed by data mining programs.

The Brazilian television also showed one slide from a presentation which wasn't mentioned or seen earlier. The only information we have, is the slide itself and what the O Globo website tells about it:

The slide is titled PRIMARY FORNSAT COLLECTION OPERATIONS, and the O Globo website says it shows a network of 16 facilities for intercepting transmissions from foreign satellites. The slide shows markings in blue and green, where blue represents "US Sites" and green "2nd Party" for intercepting locations run by partner signals intelligence agencies of the UKUSA Agreement.

Most of these locations were part of the ECHELON satellite intercept program. The NSA station at Bad Aibling in Germany was closed down in 2004 and turned over to the German foreign intelligence agency BND. At the same time, a joint NSA-BND unit was established at the nearby Mangfall Barracks.

According to Snowden, the NSA personnel from this unit maintain their own communications hub connected to the NSA headquarters. This cooperation between NSA and BND is based on a Memorandum of Agreement dated April 28, 2002.

The SCS sites in Brasilia and New Delhi are units of the Special Collection Service, a joint CIA/NSA program to collect information through covert listening posts based in US embassies in foreign capitals.

Update:
An article showing a better version of the map says that it's from 2002, which explains why it shows the stations at Bad Aibling and Sabena Seca, both of which have since closed.

Already nine slides from the presentation about the PRISM data collection program were published on the websites of The Guardian and The Washington Post. On this weblog we also discussed the first five slides and the following four slides, which were additionally published by the Post.

The Brazilian television showed two new pictures, the first is the fifth slide published by The Guardian, but only showing the world map with fiber optic cables, and without the text balloons about "Upstream" and "PRISM" collection methods, which apparently show up after clicking the original powerpoint presentation:

The slide which is below was not published earlier. Just like the previous slide, this one is also about "FAA702 Operations", which means operations under section 702 of the FISA Amendment Act (FAA) of 2008. The slide shows the same world map with fiber-optic cables and is hardly readable, but according to Wikipedia, the subheader reads "Collection only possible under FAA702 Authority" and the program name FAIRVIEW is the central cyan colored box. Maybe the codenames of other programs are in the yellow box at the right side:

An eleventh slide of the PRISM presentation appeared on the website of O Globo, some days after the previous slides were shown on television. This slide is titled "A Week in the Life of PRISM Reporting" and shows some samples of reporting topics from early February 2013:

It seems the bottom part of this slide was blacked out by Brazilian media, as the Indian paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as topics under the header "India", and also information from Asian and African countries is contributing to a total of "589 End product Reports".

These lists show that PRISM is used for collecting data about the usual strategical and tactical targets and not about ordinary people, as most of the media reports suggest.

Brazilian television showed a whole new set of slides about the XKEYSCORE program. According to O Globo, XKEYSCORE detects the nationality of foreigners by analysing the language used within intercepted emails, which the paper claims has been applied to Latin America and specifically to Colombia, Ecuador, Venezuela and Mexico.

In total, O Globo showed four slides about the XKEYSCORE program, which are classified as TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL. This means this information can be shared with signals intelligence agencies from Australia, Canada, Great Britain and New Zealand, which are cooperating under the so called UKUSA Agreement.

XKEYSCORE collects data with the help of over 700 servers based in "US and allied military and other facilities as well as US embassies and consulates" in several dozen countries. These locations are shown on the slide below:

The next slide shows how the collected data of so-called sessions are processed by separating them into different communication information, which are stored in various databases:

According to O Globo the XKEYSCORE can also track people by localities when they are using Google Maps:

This slide is follewed by one showing a map of Afghanistan and surrounding countries with a lot of coloured marking points, without any clarification of what they represent:

According to new information published by the German magazine Der Spiegel (pdf) on July 21, the slides about X-KEYSCORE are from a presentation dated February 25, 2008. It's said that, starting with the metadata, the program is able to retroactively reveal any terms a targeted person has typed into a search engine like Google or Google Maps. Furthermore, there's a buffer storage capable of storing a "full take" of intercepted raw data for several days. X-KEYSCORE can also to monitor user activity in near real time, as well as showing "anomalies" in internet traffic.

In December 2012, XKEYSCORE gathered around 180 million data sets from Germany alone. Apparently the German federal security service BfV was equipped with XKEYSCORE to "expand their ability to support NSA as we jointly prosecute CT [counterterrorism] targets" and the German foreign intelligence agency BND was tasked with instructing the BfV on how to use the program.

On July 25, the directors of the German intelligence agencies briefed members of the German parliamentary intelligence oversight committee about the various NSA programs. They said that XKEYSCORE is used by the BND since 2007, that BfV uses a test version since 2012, and that this program is not for collecting data, but only for analysing them. The director of the BfV even gave a partial demonstration of the test version of XKEYSCORE.

Update:
On July 31, The Guardian published a full presentation about XKEYSCORE, which confirms that this program is not for data collection, but for data analysing.

(Updated on September 22 with the eleventh PRISM slide and on October 23 with a better FornSat slide)

9 comments:

If you mean the Prosecutor's Management Information System (ProMIS), that's a case-management system for prosecutors from the 1970s, with the ability of tracking all the names of all the people in all the cases, which can also integrate innumerable databases without requiring any reprogramming.

Apparently it became also to be used by intelligence agencies, as for them it could have been a powerful tracking device capable of monitoring intelligence operations, agents and targets, instead of legal cases (according to the Wikipedia-article).

But I think this description is overestimating the capabilities of the program, just like the media are now overestimating many of the capabilities of the NSA.

Here is one of the XKEYSCORE presentations in PDF: http://cryptome.org/2013/07/nsa-xkeyscore.pdf

Please note that apparently there are more presentations, as you can see from the different slides, shown on the website of The Guardian: http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

Regarding the FORNSAT (Foreign Satellite Collection) part, the Misawa codename is probably LADYLOVE, a codename dating back to the 1990s. I remember having seen also TIMBERLINE and MOONPENNY in Duncan Campbell papers about Echelon from the late 1990s.

The three last US facilities seem to be CORALINE / Sabena Seca at Puerto Rico, LEMONCOCO / Thailand. The last one seems to be a SCS (Special Collection Service) site, but I wonder why in northern Brazil rahter than in Brasilia or in another big city ?

The last "2nd Party" site seems to be the Shoal Bay station near Darwin, Australia. Strangely, it seems that SHOAL BAY is written in caps as if it was a code name.

There are actually 2 extremely similar slides. One says FAIRVIEW, the other says STORMBREW. You have the STORMBREW one on your website. (Stormbrew is a longer blur :) ) There is also closeup of the graphic in the lower right, it's a stereotypical terrorist.

I suspect that there are 2 additional slides in the presentation, one for BLARNEY and another for OAKSTAR.

There are 2 additional prism slides, shown on Brazilian TV, they are also taken from Greenwald's laptop. One is a fragment. But the other, while barely legible, is also very significant.

It is points to remember for the analysts. It shows that analysts no not necessarily need to go through the FISC process at all, but though a person called an FAA adjudicator. The last sentence is "Get to know your Product Line FAA adjudicators and FAA leads" I will vouch for the transcript.

There's a better version of the FORNSAT slide here: http://www.defesaaereanaval.com.br/?p=24021

The report says the slide dates from 2002, which explains why the U.S. sites GARLICK (with a K) and CORALINE, both of which have since closed, are shown. Note the name of the Thailand site is actually LEMONWOOD, and that of Oman appears to be SNICK.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: FD9FD4E6

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) limun.org

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==